Critical WebSocket Hijacking Flaw (CVSS 9.7) in Cline AI Coding Agent — Workspace Data Exfiltration via Any Website

Summary

A critical WebSocket hijacking vulnerability with a CVSS score of 9.7 has been discovered in Cline’s local Kanban server, the widely-used open-source AI coding agent. The flaw allowed any website a developer visited to silently exfiltrate workspace data and inject arbitrary commands into the AI agent.

The vulnerability exploited the lack of origin validation on Cline’s local WebSocket server, meaning a malicious webpage could establish a connection to the developer’s local instance and interact with the AI agent as if it were the legitimate client. This could lead to source code theft, credential harvesting, and arbitrary command injection through the AI agent’s capabilities.

A patch has been released in Cline version 0.1.66. All users of earlier versions are strongly urged to update immediately, particularly those who use Cline in environments with access to sensitive codebases or production credentials.

Source

📰 Check Point Research – May 11 Threat Intelligence Report

Commentary

AI coding assistants are becoming ubiquitous in developer workflows, and this vulnerability highlights a fundamental risk: these tools often run local servers with powerful capabilities but minimal security controls. A WebSocket server with no origin validation is basically an open door for any webpage to walk through.

The attack scenario is elegant in its simplicity — visit the wrong webpage while Cline is running, and your entire workspace is compromised. As AI coding agents gain features like file system access, terminal execution, and API integrations, the security implications of their local attack surface deserve far more scrutiny. Developers should update to 0.1.66 immediately and audit what other local services their AI tools are exposing.